P3P Future Work Items 4.c: Cross-product problem -- need for grouping
mechanism
Purpose/Scope
Full P3P XML Policies allow for individual <STATEMENT>s within a <POLICY> to
effectively group <PURPOSE>s, <RECIPIENT>s and data <CATEGORIES>. The
Compact Policy does not have a <STATEMENT> element and it is therefore
impossible to produce these logical groupings. The result of this is an
overall aggregation of all declarations that may provide an imperfect
description of the data practices related to the cookie.
For instance, a full policy can say that data <CATEGORIES>:: <FINANCIAL>,
<GOVERNMENT>, <ONLINE> where used for <PURPOSE>s: <CONTACT>,
<INDIVIDUAL-ANALYSIS>, <INDIVIDUAL-DECISION> internally by
<RECIPIENT>::<OUR>, but also in a separate <STATEMENT> that
<CATEGORIES>::<DEMOGRAPHIC>, <COMPUTER>, <UNIQUE> to be used for <PURPOSE>::
<PSEUDO-ANALYSIS> by <RECIPIENT>::<UNRELATED>. This has a vastly different
meaning than the current CP rendition (FIN, GOV, ONL, COM, DEM, CON, PSA,
IVA, IVD, OUR, UNR), which would imply PII information being given to an
unrelated 3rd party.
There is a need to create a <STATEMENT> like grouping mechanism within the
CP. This would require some change to Compact Policy. I see several ways
that this could be achieved:
* Recreation of the <STATEMENT> element through new tokens
"STA" and "/STA" allowing for valid and consistent groupings within.
* Use of parenthesis, brackets or other grouping delimiter to
achieve the same without directly implying all the properties of the
<STATEMENT> element.
Resources:
As this will involve UA producers and the 1.1 working group.
Brooks Dobbs
Director of Privacy Technology
DoubleClick, Inc.
office: 404.836.0525
fax: 404.836.0521
email: bdobbs@doubleclick.net